working version with fixed link and GET for tracing purposes (#677)

* working version with fixed link and GET for tracing purposes

* added integration test

* filter on request log

webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java

@@ -1,8 +1,6 @@
 package org.owasp.webgoat;
 
 import io.restassured.RestAssured;
-import io.restassured.config.RestAssuredConfig;
-import io.restassured.config.SSLConfig;
 import io.restassured.http.ContentType;
 import lombok.Getter;
 import org.hamcrest.CoreMatchers;
@@ -22,14 +20,11 @@ import static io.restassured.RestAssured.given;
 
 public abstract class IntegrationTest {
 
-    protected static int WG_PORT = 8843;
+    protected static int WG_PORT = 8080;
     protected static int WW_PORT = 9090;
     private static String WEBGOAT_URL = "http://127.0.0.1:" + WG_PORT + "/WebGoat/";
     private static String WEBWOLF_URL = "http://127.0.0.1:" + WW_PORT + "/";
     private static boolean WG_SSL = false;//enable this if you want to run the test on ssl
-
-    //TODO no longer required but will be removed once all usages are removed
-    protected static RestAssuredConfig restConfig = RestAssuredConfig.newConfig().sslConfig(new SSLConfig().relaxedHTTPSValidation());
     
     @Getter
     private String webGoatCookie;
@@ -248,7 +243,7 @@ public abstract class IntegrationTest {
         Assert.assertThat(
                 RestAssured.given()
                         .when()
-                        .config(restConfig)
+                        .relaxedHTTPSValidation()
                         .cookie("JSESSIONID", getWebGoatCookie())   
                         .queryParams(params)
                         .get(url)                        

webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java

@@ -92,7 +92,6 @@ public class JWTLessonTest extends IntegrationTest {
                         .formParam("token", generateToken(secret))
                         .post(url("/WebGoat/JWT/secret"))
                         .then()
-                        .log().all()
                         .statusCode(200)
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
     	

webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java

@@ -37,7 +37,7 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
 		checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack10b"), params, true);
 		
 		RestAssured.given()
-		.when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie())
+		.when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie())
 		.contentType(ContentType.JSON)
 		.get(url("/WebGoat/SqlInjectionMitigations/servers?column=(case when (true) then hostname else id end)"))
 		.then()

webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java

@@ -0,0 +1,72 @@
+package org.owasp.webgoat;
+
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.Test;
+
+import io.restassured.RestAssured;
+
+public class WebWolfTest extends IntegrationTest {
+    
+    @Test
+    public void runTests() throws IOException {
+        startLesson("WebWolfIntroduction");
+        
+        //Assignment 3
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("email", getWebgoatUser()+"@webgoat.org");
+        checkAssignment(url("/WebGoat/WebWolf/mail/send"), params, false);
+        
+        String responseBody = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("WEBWOLFSESSION", getWebWolfCookie())
+                .get(webWolfUrl("/WebWolf/mail"))
+                .then()
+                .extract().response().getBody().asString();
+        
+        String uniqueCode = responseBody.replace("%20", " ");
+        uniqueCode = uniqueCode.substring(21+uniqueCode.lastIndexOf("your unique code is: "),uniqueCode.lastIndexOf("your unique code is: ")+(21+getWebgoatUser().length()));
+        params.clear();
+        params.put("uniqueCode", uniqueCode);
+        checkAssignment(url("/WebGoat/WebWolf/mail"), params, true);
+        
+        //Assignment 4
+        RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())   
+                        .queryParams(params)
+                        .get(url("/WebGoat/WebWolf/landing/password-reset"))                        
+                        .then()
+                        .statusCode(200);
+        RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .queryParams(params)
+        .get(webWolfUrl("/landing"))                        
+        .then()
+        .statusCode(200);
+        responseBody = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("WEBWOLFSESSION", getWebWolfCookie())
+                .get(webWolfUrl("/WebWolf/requests"))
+                .then()
+                .extract().response().getBody().asString();
+        assertTrue(responseBody.contains(uniqueCode));
+        params.clear();
+        params.put("uniqueCode", uniqueCode);
+        checkAssignment(url("/WebGoat/WebWolf/landing"), params, true);
+        
+        checkResults("/WebWolf");
+        
+    }
+    
+}

webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java

@@ -39,7 +39,7 @@ public class XSSTest extends IntegrationTest {
         String result =
                 RestAssured.given()
                         .when()
-                        .config(restConfig)
+                        .relaxedHTTPSValidation()
                         .cookie("JSESSIONID", getWebGoatCookie())
                         .header("webgoat-requested-by", "dom-xss-vuln")
                         .header("X-Requested-With", "XMLHttpRequest")